From owner-freebsd-pf@FreeBSD.ORG  Sat Apr 11 12:30:34 2015
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 9580AE9C
 for <freebsd-pf@freebsd.org>; Sat, 11 Apr 2015 12:30:34 +0000 (UTC)
Received: from mail.familie-keil.de (mail.familie-keil.de [5.9.24.112])
 by mx1.freebsd.org (Postfix) with ESMTP id 208A8CC8
 for <freebsd-pf@freebsd.org>; Sat, 11 Apr 2015 12:30:33 +0000 (UTC)
Received: from familie-keil.de (unknown [10.100.0.1])
 by mail.familie-keil.de (Postfix) with ESMTP id 57F05ECE6
 for <freebsd-pf@freebsd.org>; Sat, 11 Apr 2015 14:30:26 +0200 (CEST)
MIME-Version: 1.0
Date: Sat, 11 Apr 2015 14:30:26 +0200
From: michael@familie-keil.de
To: freebsd-pf@freebsd.org
Subject: Re: Freebsd jail block out in lo1 while connecting back on ext_if
In-Reply-To: <a6a75f553f38f25f3da59fef92c7397c@familie-keil.de>
References: <a6a75f553f38f25f3da59fef92c7397c@familie-keil.de>
Message-ID: <1d7343ce9ad936f2b3a00a26c68fd095@familie-keil.de>
X-Sender: michael@familie-keil.de
User-Agent: Roundcube Webmail/1.1.1
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Apr 2015 12:30:34 -0000

 

After some additional research on pf and the lecture of Peter Hansteen'S
"The Book of PF", 
I was able to solve this issue by myself. Peter'S Book is worth each and
every cent and a remarkable source of knowledge.

The rootcause for my issue was a uncompleted nat/rdr setup alog with a
too optimistic "skip on lo". 

So I someone will come 'cross this post and has trouble with NAT Setup
and Freebsd jails on a cloned lo0 interface, please feel free to give
some deeper thought to following solution. 

Please remember to tighten your rules. "from any" in the first inbound
rdrs istn't a good idea. Maybe you want to block out fail2ban and
bruteforce issues. 

ext_if = "re0" 
jail_if = "{ lo1, lo0 }" 
jail_net = "10.100.0.0/24"
jail_web_adr = "10.100.0.1"
jail_web_ports = "{ http, https }"
jail_mail_adr = "10.100.0.2"
jail_mail_ports = "{ smtp, imap, auth, smtps, pop3s, pop3, imaps,
submission } " 

nat on $ext_if from $jail_net to any -> ($ext_if)
rdr pass log on $ext_if proto tcp from any to ($ext_if) port
$jail_web_ports -> $jail_web_adr
rdr pass log on $ext_if proto tcp from any to ($ext_if) port
$jail_mail_ports -> $jail_mail_adr 

no nat log on $jail_if proto tcp from $jail_net
nat log on $jail_if proto tcp from $jail_web_adr to ($ext_if) port
$jail_web_ports -> $jail_web_adr
rdr log on $jail_if proto tcp from $jail_net to $ext_if port
$jail_web_ports -> $jail_web_adr
nat log on $jail_if proto tcp from $jail_mail_adr to ($ext_if) port
$jail_mail_ports -> $jail_mail_adr
rdr log on $jail_if proto tcp from $jail_net to $ext_if port
$jail_mail_ports -> $jail_mail_adr 

--- 

Cheers 

Michael